ML092440508
| ML092440508 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 08/27/2009 |
| From: | Hefler J, Shannon Patterson Altran Solutions Corp, Pacific Gas & Electric Co |
| To: | Division of Operating Reactor Licensing |
| References | |
| Download: ML092440508 (21) | |
Text
1 DIABLO CANYON POWER PLANT PROCESS PROTECTION SYSTEM REPLACEMENT Scott B. Patterson, PE, PMP Pacific Gas & Electric Co.
Avila Beach, CA sbp1@pge.com 805-545-4082 John W. Hefler, PE Altran Solutions Corp.
San Francisco, CA jhefler@altransolutions.com 415-543-6111
2 Agenda Scope of project Eagle-21 Replacement Platform Diversity and Defense in Depth Cyber Security Communications PG&E LAR and Schedule
3 Project Scope
4 Diablo Canyon Eagle 21 PPS (ATWS)
Solid State Protection System (SSPS)
Note - Protection Set and Division can be interchanged
5 Typical Eagle 21 Protection Set Note - Protection Set and Division can be interchanged
6 Diverse Equipment Not Subject to Common Cause Failure (CCF)
(Unaffected by Replacement PPS Project)
7 Replacement Process Protection System (PPS) Licensing Concept Start with Eagle 21 Safety Evaluation Report (SER) for Diablo Canyon Determine differences between the SER and current Diversity and Defense-in-Depth Guidance (USNRC ISG #2)
Develop approach that addresses ISG #2 guidance with minimal impact on existing protection system design
8 Existing FSAR Chapter 15 Event Analyses That Take Credit for Manual Operator Action (where both primary and backup protection are in Eagle 21)
Loss of Forced Reactor Coolant Flow, Locked Rotor (Single loop >
P8)
Operator action within 5 minutes -
Reactor Trip Mitigating function is RCS Flow Loss of Coolant Accidents (SBLOCA, LBLOCA)
Operator action within 10 minutes -
Safety Injection and Containment Spray Mitigating functions are Pressurizer Pressure and Containment Pressure
9 ISG-02 Guidance ISG-02 Section 5 states that there are two design attributes that are sufficient to eliminate consideration of CCF:
(1) Diversity [if] sufficient diversity exists in the protection system such that the common cause failures within channels can be considered to be fully addressed without further actionno additional diversity would be necessary in the safety system.
(2) Testability -
A system is sufficiently simple such that every possible combination of inputs, internal and external initial states, and every signal path can be tested; that is, the system is fully tested and found to produce only correct responses.
10 Proposed Replacement PPS Addresses CCF Without an Additional DAS or Manual Actions The Control System Innovations Advanced Logic System (ALS) architecture is internally diverse, logic-based and is not susceptible to CCF due to software.
Implements key design attributes, which (when combined with appropriate application development V&V) are sufficient to address Common Cause Failure issues.
The Tricon architecture is software-based; CCF must be considered and addressed.
Sufficient external, automatic diverse functions exist for channels processed through Tricon (Unchanged from Diablo Canyon Eagle 21 SER).
Functions previously credited with automatic mitigation in the Diablo canyon Eagle 21 SER continue to be mitigated automatically.
Provides controls and indications unaffected by CCF (BTP 7-19 Position 4):
Independent of any digital software processing Isolated as needed to prevent potential control/protection interaction The proposed replacement automates the three functions previously credited for manual mitigation in the Eagle 21 SER.
Eliminating manual actions enhances safety.
11 Replacement PPS Concept (ALS Provides Inherently Diverse Front-End Isolation and Actuation)
Containment Pressure (4-20 mA)
RCS Flow (4-20 mA)
PZR Pressure (4-20 mA)
Protection Set Trouble (Discrete)
Protection Set Failure (Discrete)
Channel(s) in Bypass (Discrete)
DTTA RTD Failure (Discrete)
I II NR Temperatures (4-20 mA)
Trips to SSPS (Discrete)
MAS TRICON Trips (To SSPS)
(Discrete)
RNASA RNASB (Discrete)
Class I Analog Outputs (4-20 mA)
Neutron Flux Inputs (0-10 VDC)
Process Inputs (4-20 mA)
(4-20 mA)
TRICON REMOTE CHASSIS Data Link PPC MAINTENANCE TERMINAL WORKSTATION (Class II)
B Workstation Non Class I Analog Outputs B
C Class I Analog Outputs (4-20 mA)
ALS TRICON I
RNARA RNARB (Discrete)
HMI Note: SSPS & AMSAC are original equipment; not being replaced.
I I
S/G Feedflow (4-20 mA)
WR Temperatures (4-20 mA)
(DFWCS)
I I
II II Communication Links (Fiberoptic)
Data Link Data Link Data Link PZR Pressure (DTTA)
(4-20 mA)
Process Inputs (4-20 mA)
PPC Data Link C
Workstation I
Channel(s) in Bypass (Discrete)
II I
II II Data Link AMSAC (4-20 mA)
Process Control (4-20 mA)
Protection Set Trouble (Discrete)
Protection Set Failure (Discrete)
Non Class I Analog Outputs (4-20 mA)
MAS MAS DTTA RTD Failure (Discrete)
MAS Data Link ALS -
Advanced Logic System DFWCS -
Digital Feedwater Control System DTTA -
Delta T/Taverage (Thermal Trips)
HMI -
Human Machine Interface PPC -
Plant Process Computer PZR -
Pressurizer RNARA/RNARB -
Auxiliary Relay Cabinets RTD -
Resistance Temperature Detector RCS -
Reactor Cooling System SSPS - Solid State Protection System WR - Wide Range
12 Cyber Security -
ISG-01 Diablo Canyon is responsible to ensure compliance with the applicable cyber security regulations and guidance during all life cycle phases of the plant upgrade following 10 CFR 73.54, Regulatory Guide 1.152 Rev. 2 and ISG-01.
Applicable to:
Vendor equipment software development Diablo Canyon software development and maintenance Two Vendors have been selected Invensys -
Advanced Logic System
13 Cyber Security Summary Diablo Canyon intends to fully comply with the applicable guidance on cyber security both for the vendor design program (offsite) and the onsite installation, testing and later phases as called for in NRC Reg. Guide 1.152, ISG-01 and the applicable Regulations.
14 ISG-04, Highly Integrated Control Rooms -
Communications Issues Four Areas of Interest 1.
Interdivisional Communications Area of Interest is listed as Data Communications 2.
Command Prioritization 3.
Multidivisional Control & Display Stations 4.
Digital System Network Configuration This is only referenced in the Appendix of ISG-04 as integrated w/ other sections
15 Data Communications Safety-to-non-Safety digital communication interfaces:
Plant Process Computer (PPC) -
obtains data from all four divisions (read only)
Currently this is an analog out from Eagle 21 and an analog in to the PPC (less accurate, requires calibrations, not all desired parameters available)
Maintenance Video Display Unit (MVDU) one per division (read/write)
16 Data Communications MVDU -
Maintenance Video Display Unit Functions Removing a channel from service (bypass, trip, defeat alarms, etc.)
Updating specific tunable parameters Calibrating Analog and Digital Outputs Troubleshooting and Diagnostics Need the ability to update parameters with a MVDU and only taking the affected channel out of service Need the ability to perform troubleshooting and diagnostics without taking the channel out of service
17 Data Communications MVDU -
Maintenance Video Display Unit The vendors need to provide details on an approved process to change a selected number of tunable parameters that routinely change due to plant conditions Full Power Delta-T Full Power Tavg Streaming Constants for Thot Normalization of Steam Flow, RCS Flow Indications Highly desired for the MVDU to be non-safety This will most likely be a combination of hardware, software and administrative controls
18 ISG-04 Appendix -
Priority List Items 1.
Communication between safety divisions -
N/A 2.
Control of both safety and non-safety components from a non-safety VDU -
N/A 3.
HMI to multiple divisions of safety digital systems (Area of Interest 3) -
One MVDU (read/write) per Division, PPC (read only) connected to all Divisions 4.
Operating a reactor using information displayed on a non-safety VDU for all plant conditions -
N/A 5.
Requirements for priority modules -
N/A 6.
Safety HMI control on non-safety components -
N/A 7.
Design Requirements for Non-Safety devices involved in inter-channel (inter-divisional?)
communication (non-safety VDU, shared sensors)
(Area of Interest 3) -
Plant Computer (read only) 8.
Communication involving diverse non-safety systems (Area of Interest 1)
AMSAC (not changing) analog interface only 9.
Safety Communications Protocols (Profibus between safety divisions, Ethernet between digital safety systems and safety HMI) (Area of Interest 4??) -
Network Configuration
19 License Amendment Request and Schedule Implementation for the first unit -
4/30/12 Based on a 2 year review time submittal of LAR would need to be by April 2010 If this is a Tier 1 submittal, NRC has advertised a 10 to 13 month review time This depends on having an approved Topical from each vendor to reference This would move the latest required LAR submittal date to March of 2011 More time for submitting a complete package and for resolving any issues in Phase 0
20 LAR Schedule (cont)
Unclear how much detailed design needs to be complete (final) before the LAR is submitted When do we submit our D3 evaluation?
Our goal is to submit and get approval prior to LAR submittal DCPP has requested to be a pilot plant for the ISG-06 Licensing process What are the expectations for this process?
In order for this to be effective, ISG-06 needs to be mostly complete
21 Questions